Researchers uncover years-long espionage campaign targeting dozens of global companies

Researchers with cybersecurity firm Cybereason briefed the FBI and Justice Department recently about Operation CuckooBees, an alleged espionage effort by Chinese state-sponsored hackers to steal proprietary information from dozens of global defense, energy, biotech, aerospace and pharmaceutical companies.

The organizations affected were not named in Cybereason’s report but allegedly include some of the largest companies in North America, Europe and Asia. Cybereason tied the campaign to the prolific Winnti Group, also known as APT 41.

Cybereason CEO Lior Div told The Record that the most alarming aspect of the investigation into Operation CuckooBees was the evasive and sophisticated measures used to hide inside the networks of dozens of the largest global manufacturing companies in North America, Europe and Asia as far back as 2019. 

“The group operates like a guided missile and once it locks in on its target, it attacks and doesn’t stop until it steals a company’s crown jewels,” Div said.

“Winnti pilfered thousands of gigabytes of data and to add insult to injury also made off with proprietary info on business units, customer and partner data, employee emails and other personal information for use in blackmail or extortions schemes at a time of their choosing.”

Cybereason said that throughout its 12-month investigation, it found the intruders took troves of intellectual property and sensitive proprietary data, including formulas, source code, R&D documents and blueprints, as well as diagrams of fighter jets, helicopters, missiles and more. 

The attackers also gained information that could be used for future cyberattacks, like details about a company’s business units, network architecture, user accounts and credentials, employee emails, and customer data.

Most concerning, according to Div, was that the companies had no clue they were breached.

In two detailed reports, Cybereason attributes the attacks to Winnti based on an analysis of the digital artifacts the group seemed to have left behind after its intrusions. 

Several cybersecurity companies have been tracking Winnti since it emerged in 2010 and experts have noted the hackers to be operating on behalf of Chinese state interests, specializing in cyber-espionage and intellectual property theft.

The group used a previously undocumented malware strain called DEPLOYLOG as well as new versions of malware like Spyder Loader, PRIVATELOG, and WINNKIT.

The malware included digitally signed, kernel-level rootkits as well as an elaborate multi-stage infection chain that enabled the operation to remain undetected, Cybereason said.

The group also managed to abuse the Windows Common Log File System (CLFS) mechanism, which allowed the intruders to “conceal their payloads and evade detection by traditional security products.”

CLFS is a logging framework that was first introduced by Microsoft in Windows Server 2003 R2 and included in later Windows operating systems. 

“The attackers implemented a delicate ‘house of cards’ approach, meaning that each component depends on the others to execute properly, making it very difficult to analyze each component separately,” Div explained. 

Operation CuckooBees generally took advantage of existing weaknesses, Div said, such as "unpatched systems, insufficient network segmentation, unmanaged assets, forgotten accounts and no use of multi-factor authentications products."

Cybereason said that the attackers gained their initial foothold in the organizations through vulnerabilities in Enterprise Resource Planning platforms. 

Last month, FBI director Chris Wray told 60 Minutes that the "biggest" threat American law enforcement officials face is from Chinese hackers stealing proprietary information. The bureau opens a new China counterintelligence investigation about every 12 hours, he said.

"They are targeting our innovation, our trade secrets, our intellectual property on a scale that's unprecedented in history. They have a bigger hacking program than that of every other major nation combined," Wray said.

"They have stolen more of Americans' personal and corporate data than every nation combined. It affects everything from agriculture to aviation to high tech to healthcare, pretty much every sector of our economy. Anything that makes an industry tick, they target."

The Justice Department issued indictments of several alleged members of APT 41 in 2020, noting that the group had hacked more than 100 companies across the world.